Privacy Policy

I. The scope of the policy

1. The scope of this policy extends to Pannonsat Limited (Headquarters: Hévíz Római u. 4..; Tax number: 11532008220; Company registration number: 20 09 063452), henceforth referred to as: enterprise.

II. The aim of the policy

2. The aim of the policy is to provide the successful protection of personal data, the implementation of informational autonomy. Furthermore, this policy aims to introduce the normative data security and protection policies of the enterprise.

III. Normative laws

3. The enterprise must comply with the following laws’ regulations:

  • The European Parliament’s and European Council’s (EU) 2016/679 Statue (2016. 04. 27.) about the protection of a natural person’s personal data, the security of handling personal data and the free flow of these data, and with the 95/46/EK Statue repeal (general data protection regulation, henceforth: GDPR)
  • The CXII. Law (2011.) about the Hungarian right of autonomy and informational freedom (henceforth: Infocl.)
  • The V. Law (2013.) about Hungarian civil code (henceforth: civ)
  • The I. Law (2012.) about Hungarian labour code (henceforth: lab)

IV. Explanatory Measures

4. The definitions of the GDPR that are highlighted in relations to this policy:

  • personal data:  means any information relating to an identified or identifiable natural person (‘data subject’);
  • data subject: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • processing:  means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • recipient: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  • third party:  means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • filing system: means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
  • personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  • representative: means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to paragraph 27, represents the controller or processor with regard to their respective obligations under this Regulation;
  • enterprise: means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.

Other definitions:

  • data asset inventory: the document that serves the measurement of personal data bythe data controller
  • binding corporate rules:  means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.

V. Principles relating to processing of personal data

5. The personal data by the enterprise shall be:

6. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

7. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with paragraph 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

8. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

9. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

10. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with paragraph 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

11. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

12. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

VI. Lawfulness of processing

13. Processing shall be lawful only if and to the extent that at least one of the following applies:

14. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

15. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

16. processing is necessary for compliance with a legal obligation to which the controller is subject;

17. processing is necessary in order to protect the vital interests of the data subject or of another natural person;

18. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

19. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

VII. Data asset inventory

20. The enterprise creates a processing data inventory to align with the regulations of the GDPR.

21. In correlation of the personal data processing, the enterprise defines the following in the data asset inventory:

  • The person concerned [for example: customer, employee]
  • The purpose for data processing [for example: data processing related to the workplace]
  • The categories of the personal data concerned [for example: name, address, email address]
  • The categories of special personal data concerned [for example: genetic data]
  • The envisaged period for which the personal data will be stored [for example: 8 months]
  • The rightful claim to store personal data [for example: contract]
  • The recipients or categories of recipient to whom the personal data have been or will be disclosed in the enterprise [for example: editor]
  • The recipients or categories of recipient to whom the personal data have been or will be disclosed outside the enterprise [for example: authorities]
  • If the enterprise employs data processor: the name of the processor, the categories which can be accessed by the data processor and the envisage period for which the personal data can be accessed by the processor [for example: server provider]

VIII. Rights of the data subject

22. In alignment with the GDPR regulations, the enterprise provides the following rights for the data subject.

Right to information

23. The data subject has the rights to information related to data processing.

24. The enterprise provides short, transparent, understandable information for the data subject.

25. The information shall be available in written format – including in an electronical format.

Providing requested information for the data subject

26. If the data subject has been identified, the data subject can request verbal information.

27. The enterprise informs data subject about the requested information without unreasonable delay, in 30 days after the request of the data subject.

28. Taking in consideration the complexity and number of requests, the 30 day deadline can be extended by 60 days. The enterprise informs the data subject about the extension of deadline and the reason of the extension within 30 days of providing the information. If the data subject requested the information electronically, the information shall be provided in an electronical format, except if the data subject requests the information in a different format.

29. The requested information shall be provided exempt of charges.

30. If the request of the data subject is straightforward, unsubstantiated- especially of its repetitiveness- superfluous, the enterprise, considering the cost of administration can:

  • Request reasonable price for the information, and
  • deny providing the requested information.

31. The substantiation of the superfluousness of the request shall be provided by the enterprise.

Providing mandatory information

32. If the enterprise obtained the personal data directly from the data subject, the enterprise provides the following information in every case:

  • where possible, the representative of the enterprise and contact information;
  • where possible, the contact information of the data protection official;
  • the purpose of personal data processing and the existence of the right to collect personal data;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where applicable, the recipients of personal data
  •  Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to paragraph 46 relating to the transfer.

33. When first obtaining the personal data of the data subject the enterprise informs the data subjects about the following:

  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • the existence of automated decision-making, including profiling, referred to in paragraph 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

34. If the enterprise collects personal data for a different purpose which is stated above, the enterprise shall provide the data subjects about the purpose of the data processing and about all information stated in 33. before processing the data.

35. The enterprise can inform the data subjects in numerous ways.

  • The enterprise can provide the information as an appendix to the ‘Privacy policy’. In this case, it is sufficient to provide information only in the requested category of the data subject. 

Right of access by the data subject

36. The data subject shall have the legal right to access his/her personal data.

37. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in paragraph 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

38. The enterprise shall provide a copy of the personal data undergoing processing.

39. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

Right to rectification

40. The data subject shall have the right to obtain from the enterprise without undue delay the rectification of inaccurate personal data concerning him or her.

41. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (‘right to be forgotten’)

42. Right to erasure (‘right to be forgotten’) is not automatically granted to the data subject.

43. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based according to point of paragraph 6(1), or point (a) of paragraph 9(2), and where there is no other legal ground for the processing;
  • the data subject objects to the processing pursuant to paragraph 17 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to point 18;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

44. The enterprise shall not provide the right to erasure, where data processing is necessary for the alignment of the data processing regulations.

45. Where the enterprise receives a request to erase personal data, the enterprise shall first examine, whether or not the request is from the data subject. For this, the enterprise can request the data which helps the identification of contract between the enterprise and the requester, the personal identification data of the data subject, and the issued number by the enterprise for the established document for the data subject.

46. Where the enterprise is obliged to erase the personal data, the enterprise shall aim to erase the information from every database.

47. The enterprise creates a record of the information erasure, to prove that the erasure of the personal information has been issued. The record is signed by the representative of the enterprise or by the person who has the legal right. The erasure record shall include the following information:

  • the name of the data subject
  • the category of the erased information
  • the date of the erasure.

48. The enterprise informs the recipients of the forwarded personal data about the obligation of information erasure.

Right to restriction of processing

49. The data subject shall have the legal right to restrict the processing of his/her personal data.

50. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the enterprise no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing pursuant to paragraph 17 and paragraph 18 pending the verification whether the legitimate grounds of the enterprise override those of the data subject; in this case the restriction applies to the time period, until it is proven, that the legitimate grounds of the enterprise enjoy supremacy over the legitimate grounds of the data subject.

51. Where processing has been restricted under paragraph 50, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

52. A data subject who has obtained restriction of processing pursuant to paragraph 50 shall be informed by the enterprise before the restriction of processing is lifted.

Right to object

53. The data subject shall have the right to object on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the lawfulness of processing.

54. The enterprise shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

55. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

56. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Right to data portability

57. The data subject shall have the right to receive the personal data concerning him or her, if the processing is carried out by automated means.

58. The enterprise shall ensure, that the obtained personal data is provided to the data subject in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

IX. Records of processing activities

59. The records of processing activities are created by the enterprise to align with the regulations of GDPR.

60. The enterprise edits the following records of processing activities:

  • data transmission record
  • record of the rights and requests of the data subjects
  • record of requests of authorities and the provided information of the enterprise
  • record of the requests about the erasure of personal data
  • record of customers
  • record of requests with marketing purpose
  • record of employment related personal data processing
  • record of employee recruitment
  • record of data protection incidents.

61. The enterprise and, where applicable, the enterprise’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

  • the name and contact details of the enterprise and, where applicable, the joint enterprise, the enterprise’s representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organisational security measures

62. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

  • the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
  • the categories of processing carried out on behalf of each controller;
  • where applicable, transfers of personal data to a third country or an international organisation.

63.  The records shall be in writing, including in electronic form.

X. Security of personal data

64. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

65. The enterprise shall ensure the ongoing confidentiality, integrity, availability and resilience of the processed data.

66. To establish the sufficient protection of data the enterprise assesses every record and assign them to an appropriate level of security.

67. The enterprise and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

68. To ensure the security of personal data the enterprise implements physical, logical and administrative measures.

69. The enterprise implements the following physical measures:

  • The enterprise deploys an access control system to screen unauthorised people, to ensure that unauthorized people do not enter to the office of the enterprise
  • The enterprise ensures that unauthorized people are unable to access paper or electronical documents that contain personal data.

70. The enterprise implements the following logical measures:

  • The enterprise ensures that only authorized people can access processed personal data

71. The enterprise implements the following administrative measures:

  • The enterprise ensures that the potential access to personal data can be shadowed in documentation
  • The enterprise ensures a document handling process that supports the screening of incorrect personal data

XI. Notification of a personal data breach

72. In the case of personal data breach the lack of sufficient measures can result in risk to the rights and freedoms of natural persons.

73. In the case of a personal data breach, the enterprise shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.

74.  The enterprise do not have to notify the personal data breach to the supervisory authority when the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

75. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

76. Where the notification to the supervisory authority of the personal data breach is obligatory, the enterprise in the notification shall:

  • describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach;
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

77. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

78. The communication to the data subject referred to in paragraph 77 shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points of paragraph 79.

79. The communication to the data subject referred to in paragraph 77 shall not be required if any of the following conditions are met:

  • the enterprise has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  • the enterprise has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
  • it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

80. If the enterprise conducts data processing activities, in case of personal data breach it shall notify the controller without undue delay.

81. If the enterprise employs a data processor, the data processor’s contract shall contain, that it is the data processors responsibility to report the personal data breach without undue delay.

XII. Processing customer data

82. The right of processing customer data is based on the contract between the enterprise and the signing party.

83. The enterprise has the right to process the personal information obtained from the contract by the enterprise (for example personal contact information). In this case, the following discretion of interest shall be tested, according to the GDPR regulations:

  • the object of data processing
  • the establishment of the lawful right for processing personal data
  • the processed personal data
  • name of the lawful interest of the enterprise
  • assessing the potential risks of the data subject’s personal data
  • discretion of interest
  • how does the enterprise guarantee the protection of personal data.

84. The personal data tests of the discretion of interest are part of the appendix of this privacy policy.

XIII. Employment related data protection

85. According to paragraph 36 ‘Privacy policy’ the enterprise incorporates paragraph 33 and 34 for employment related applications. In the employment related applications the enterprise refers to the ‘Privacy policy’ through contact information.

86. If the enterprise wishes to store the personal information of the employment applicant after filling the work position, the enterprise shall seek the consent of the employee. The consent shall be concrete and based on sufficient information. The written consent shall contain the following:

  • the name and contact information of the enterprise’s representative
  • the purpose of processing the personal data and the lawful right to process personal data
  • where possible, the envisaged time limits for processing the personal data
  • the right of the data subject to request the access, correction or erasure of his/her personal data
  • the right of the data subject to withdraw consent any time, that shall not influence the right of the enterprise to process data before the withdrawal of consent
  • the right of the data subject to issue a complaint to the competent authorities.

87. After the employment application the personal data of unsuccessful applicants if requested, shall be returned to the applicant in 90 days, or without the consent of the applicant to use personal data for future applications, shall be erased. A record of the erasure of personal data shall be issued.

88. The enterprise processes the personal data of employers according to the Hungarian labour code and informs the employers according to the Hungarian labour code, in addition aligning with the GDPR regulations.

89. The enterprise informs the employers about the employed data processors’ information, and the category of forwarded information.

90. The following rights can incur in relation to the employment data processing:

  • contractual right
  • lawful obligations
  • lawful interest.

91. If the enterprise processes data according to paragraph 92, the following discretion of interest shall be tested, according to the GDPR regulations:

  • name of the lawful interest of the enterprise
  • assessing the potential risks of the data subject’s personal data
  • discretion of interest
  • how does the enterprise guarantee the protection of personal data.

92. The personal data tests of the discretion of interest shall be accessible by the employees of the enterprise.

XIV. Principles relating to the employment of the data processor

93. If data is processed not by the enterprise, the enterprise shall employ data processor which guarantees the security of data processing and aligns with the GDPR regulations.

94. The data processor shall not employ further data processor without the prior, written authorization of the enterprise.

95. The enterprise and the data processor sign a binding, written contract in relation to personal data processing. This contract determines the purpose, envisaged time of the contract, the category of the processed personal data and the responsibilities of the participants of the contract.

96. The contract described in paragraph 95 requires the following from the data processor:

  • the data processor processes personal information only according to the written instructions of the enterprise;
  • ensures that the authorized people who have access to the personal data shall sign a non-disclosure agreement;
  • deploys at least the obligatory data security measures of the enterprise;
  • respects the enterprise’s requirements for data processors stated above;
  • considering the category of the processed data, the data processor deploys technical measures which support the enterprise to align with the regulations and comply with the data subjects’ requests;
  • supports the enterprise in the case of personal data breach to comply with its obligations, considering the category of the processed data and the available information;
  •  the data processor is responsible to notify the enterprise without undue delay if personal data breach occurs on his/her side;
  • after providing the service, the data processor is obliged to return all personal data to the enterprise or to erase the personal data and the copies of it, unless the European law or the European member state’s law obliges the storage of personal data.  

97. The data processor and the authorized person who has access to personal data shall process data according to instructions of the enterprise.

XV. Entry into force and application

98. This regulation shall enter into force on 12. 06. 2021.